Posted
by
Soulskill
on Friday August 03, 2012 @01:17PM
from the 72%-of-statistics-are-made-up dept.

wiredmikey sends this excerpt from SecurityWeek:
"A recent article on ProPublica dissected two commonly quoted figures about cybersecurity: $1 trillion in losses due to cybercrime itself and $388 million in IP losses for American companies. Both figures have been scrutinized and challenged by many, and viewed as typical security vendor FUD. ... The $1 trillion figure is attributed to anti-virus vendor McAfee, while the $388 million in IP losses number belongs to Symantec's Norton division. According to ProPublica, 'The report was not actually researched by Norton employees; it was outsourced to a market research firm, StrategyOne, which is owned by the public relations giant Edelman.' The problem with both of these figures — $1 trillion and $388 million — is, as Microsoft researchers pointed out earlier this year in a report fittingly titled 'Sex, Lies, and Cybercrime,' they are studded with outliers. In one example they cite that a single individual who claims $50,000 losses, in an N = 1000 person survey, is enough to extrapolate a $10 billion loss over the population. In another, one unverified claim of $7,500 in phishing losses translates into $1.5 billion over the population. The Microsoft researchers concluded: 'Are we really producing cyber-crime estimates where 75% of the estimate comes from the unverified self-reported answers of one or two people? Unfortunately, it appears so. Can any faith whatever be placed in the surveys we have? No, it appears not.'"

Obviously, the $1 trillion figure is made up. The real figure is more likely in the tens of millions, maybe a little higher, but probably even less than that. The thing is, and the reason people can get away with citing a number that ridiculous, is because it is so large. People simply have no concept of scale that large. You can't hold a number that large in your head, not insofar as it applies to something real. As a pure number, sure, but not as a number of something. The human brain can comprehend tens, even thousands: but trillions are simply too large for the mind to hold, which means that as a talking point, a couple billion is about the same as a trillion for your average human: it basically just ends up meaning "a really really really lot."

If you approach rebuking the number as "well what should the number really be", you aren't countering the key point behind those figures, which is simply to express a massive quantity. If you respond by saying the number should really be in the millions, people will usually scoff at you ("no way McAfee could have been that wrong") or at best simply take the average of the two numbers, which still yields a massive number in their head. The point of such studies isn't to be scientific: it's to be rhetorical. So ultimately, to the people citing that number, it doesn't matter in the slightest if it is true, or how it was a arrived at. All it matters is they have a really big number to cite that they can say is "scientific" or "proof that we need to take action."

If the losses are really only in the millions, how is there a market for zero-day exploits of ~$50k each? To engage in your average criminal activity, you need at least a 10:1 payout for something low-risk logically. If the packaged exploit is half the cost of executing the scam, your average zero-day should gross $1MM. Isn't it easier to skim $100k from a brokerage account than mine bit coins?

Of course, your average criminal isn't too good at math, but it hardly seems that difficult to cast a big enough

Obviously, the $1 trillion figure is made up. The real figure is more likely in the tens of millions, maybe a little higher, but probably even less than that.

Wait a minute now. The derivatives market by itself, is close to $800Trillion. That's "trillion" with a "T" and represents a sum that equals many times more than the GDP of the entire world.

The manipulation of Libor and stealing by simply timing the rate changes could easily have represented $1Trillion in crime.

Add to that the investment banks using their position to do high-frequency trading, in effect "peeking" at their customer transactions to jump in front (yes, that's a crime) and all the rest of the straight up fraud and theft that is being perpetrated by the big banks thanks to their proximity to the Federal Reserve and we've left $1Trillion in cybercrime about five miles back.

You make the mistake of thinking that "cybercrime" can only be Balkan hackers or credit card scammers - small time fraudsters. The real cybercrime is being perpetrated by our financial elite on a scale that makes them absolutely untouchable - out of the reach of any government. Hell, the medicare fraud by the company owned by the governor of Florida, Rick Scott, caused them to pay a fine of a billion dollars, which means the amount they stole using their computer medicare billing system is well over that amount. That's certainly cyber-crime.

Then look at the $27trillion being held illegally off-shore by American citizens to evade taxes (also a crime and also made possible thanks to computers) and the figure of what could be called "cybercrime" adds up to more than the total GDP of the United States and Japan combined. To give you an idea of the impunity with which this illegal (as in crime) activity is engaged, one of the people who almost certainly took advantage of the 2009 amnesty by which these tax cheats could repatriate their money to the US without facing criminal prosecution is now running for president.

If you just take the cases of cybercrime that the biggest banks have already settled with the Justice Department, you get way over $1trillion.

It's silly to think that the $1 trillion figure is "made up". Just look at the deal that's being cut in regard to the massive amount of mortgage fraud. The amounts there are what, 700, 800 million dollars?

Of course, the lawyers tell their clients, when settling for pennies on the dollar, to "admit no wrongdoing" but to pay up anyway because they committed the crimes

I can't even remember what comes after "trillion". Is it "quadrillion"? Well the derivatives market, that shadow market that is tied to absolutely nothing real - not equities, not bonds, stocks, nothing but money in the hands of a tiny number of people, nothing that adds a goddamn thing to society, and we're bumping right up against that quadrill

You are quite wrong. The discrete quantities the human brain can quickly recognize are much smaller than that.

Think of people in a room; you enter a room and you see 3 people. You don't have to think for a second, you know it's 3 people, instantly. The same with 4. Perhaps 5. After 6 people, you might not realize, but, as you count them, you'll probably be counting in groups of 3 or 4. Everything above 6 or 7 you only estimate (e.g.: "there were *about* 15 people in that room"), unless you actually take tim

Throw that one guy out as a strange "outlier" and the number is zero. That is more believeable.

Lies, damn lies and statistics. Grarbage in garbage out.

If it was only one person out of a full one thousand sample then the sample size is way to small to be statistically significant. Whoever did the statistical analysis should be fired. With that low a report rate you don't know it is 1/1e6 or 1/1e9 and you just got unlucky in the sample.

You're part of the problem. Lies and fraud should not be tolerated, regardless of whether it's someone's "job". It's wrong, and causes damage to society by misleading people and ultimately tricking them into parting with their money.

It is not only cyber-crime estimates that are coming from one or two self-reported unverified people. All the economy related numbers are made up, reverse engineered, adjusted to fit the narrative of the political power.

1 Trillion USD losses to cyber-crime? So taking the 15 Trillion GDP figure at face value (which you must not make mistake of doing), it means that over 6% of the GDP is lost due to all this 'cyber-crime'. 6%. The entire USA agriculture sector is 4% of the reported GDP.

Well, in this case, it is basically Microsoft defending itself against the FUD from Norton, because the only reason you should need Norton is if Microsoft Windows sucks. So Microsoft will attempt to minimize the reported cybercrime numbers because it reflects poorly on them.

I'm not saying Microsoft is wrong in their analysis here, in fact I think they are correct, but you cannot say that Microsoft is "helping" anybody but themselves by exposing the FUD. I highly doubt that they would help expose any FUD a

Something like, $1 trillion with a 90% confidence interval of [$1000, $2 trillion] would have been completely honest:-)
(this is the kind of confidence interval you would get using the bootstrap method on the kind of data they describe, i.e. data with one huge outlier).

If they are including spyware/virus in their "cybercrime" definition, the numbers make sense.

Consider this:

I've got a customer who had two of their machines taken out by viruses. At a billable rate of $180/hour, it took approximately 10-12 hours to try the cleaning solutions (which of course did not work) and then reformat and reinstall Windows and the five-million updates to updates to updates. So that's just two occurrences in one week costing the client $4,000.00 for actions due in large part to whoever

... sheesh, they could have found a guy on Craigslist that would have immediately jumped to the "gotta reinstall windows" solution for $40 a pop.

"Just the annual cost for this one company alone could justify extrapolating the seemingly over-inflated costs of cybercrime."

No, your overinflated $180/hr billing rate is as much to blame for this one as does milking the client for money. Seriously, as someone that does AV cleanup as part of my security duties for a large global company I gotta call bullshit on yo

... enough to show me just how bad you are at your job. Your industry average of $250/hr is complete bs; a number pulled out of your ass to justify raping this company due to their own ignorance. I understand, it's your cash cow and you will do anything to protect your interests, but right now you look like a used car salesman from the 80's; lying to the customer just to make a buck.

... no matter what you say, or how you try to justify it, you're still giving it to them with no Vaseline or even so much as a reach around or peck on the cheek. The only reason you're still in business is because you found a sucker of a company and are milking them to make your BMW payments.

One can get an H1B Indian consultant to stand up an SAP BobJ instance on SUSE 10 for around $160/hr right now and he/she will sit in your office to do the job, you can get them for that much to do a wide range of things

I do agree, that his rate seems to be a bit inflated, especially if he has an ongoing relationship with his client.

But "Robert Half"? What is that? Some kind of Temp agency? Do their Temps come with their own CD/DVDs? USB backup drives? Will they come with their own rescue/toolkit USB sticks? Or will the Temp have to Google his way out of your predicament? And will the Temp have to rely on you for finding your installation CDs/DVDs?

And every time you call this Robert Half agency, will the same exact person

You've supported this company for years and still haven't made a standard system image? I guess if they don't know any better it's a nice way to milk your customers. Good job, you make us all look great.
And what company over 5 people buys machines with bloatware? They going into Bestbuy?

Up until last year, they had their own inside IT person who was from the mainframe world and was a bit out of her element. They have 50 people and 49 different workstations. Not my choice. Not my sale. They have been buying onesy/twosy machines since slooooooowly transitioning from Wyse serial terminals into the PC world.

Most of the people who commented on this portion of the main post should really sit down and watch Glengarry, Glenn Ross: "Never open your mouth when you don't know the shot". Jesus Ch

I'll put that in my morning memo: "Please Note: An anonymous coward on the internet will be glad to replace my 20 years of working with your company and 30 years of experience with setups exactly as yours with his own home spun bargain basement virus repair. I'll gladly repair them when he is finished".

Rather than be a smart aleck, what would you do if: you warned the customer's about the specific viruses they're getting hit with, your warned them of the insufficiency of their current antivirus, you repeatedly told them that we have to upgrade from Outlook Express to a real email program, you warn that they need a much more reliable and secure email server with modern filtering capabilities, and they refuse to acquiesce to any of those recommendations?

I work for a company that analyzes transactions and detects account takeovers and thefts at banks. Banks call us when they suffer a loss or series of losses. When they call us these losses are typically over $300,000 and the largest attack we've seen is for about $1.5M. We do NOT deal with the biggest banks, mostly regional and local banks. In case you didn't know, there are about 15,000 banks and credit unions in the U.S., so there are a lot of targets for criminals. Not all these banks have assets worth s

you know, even one billion dollars is pretty far from one trillion dollars.by the way this cybercrime doesn't include apparently wire fraud, which certainly existed before "cyber" as well.

this one trillion dollars isn't mainly even based on real dollars the companies held in their hands, but on IMAGINARY POTENTIAL PROPERTY value. they estimate that their new widget is worth 23 millions and that they lost that due to breach and that would have been included in the study, never mind that there weren't enough

RIAA have this science down pat. I mean they sued Limewire for 51$ Trillion dollars! (insert pinky)

All these companies come up with BS numbers to push their own agenda. Oh and you can bet every study done by the MPAA and RIAA, were all done by "independent" sources... I mean I recall a number used for piracy being used in Canadian lobby, that was so self refreential it was neigh impossible to figure out where it came from. When they finally did, it was an unsourced, no details presentation, done by RIAA themselves, pass on from them to others, to studies, etc...

Just like the Academy of Tobacco Studies, the Moderation Council, and SAFTY were all unassoicated with their terrible industry overlords...

. ..a UK citizen, last I heard she was with the state gov't of Colorado, who pulled a hundreds of billions of dollars figure out of her butt while she was at some talk in Saudi Arabia --- pure BS as she was and probably still isn't -- at her age -- any type of computer science industry expert, etc. Frequently repeated, with no validation nor verification whatsoever --- typical of the Amerikan non-media.